V7 - Cryptography Verification Requirements

The Encryption Verification Requirements define a set of requirements that can be used to verify an application's encryption, key management, random number, and hashing operations. Applications should always use FIPS 140-2 validated cryptographic modules, or cryptographic modules validated against an equivalent standard (e.g., a non-U.S. standard). The table below defines the corresponding verification requirements that apply for each of the four verification levels.

Table 7 - OWASP ASVS Cryptography Requirements (V7)

|Verification Requirement| |Level 1A|Level 1B|Level 2A|Level 2B|Level 3|Level 4| |:-----------------------|:|:-------|:-------|:-------|:-------|:------|:------| |V7.1 |Verify that all cryptographic functions used to protect secrets from the application user are implemented server side.| | |x |x |x |x | |V7.2 |Verify that all cryptographic modules fail securely.| | |x |x |x |x | |V7.3 |Verify that access to any master secret(s) is protected from unauthorized access (A master secret is an application credential stored as plaintext on disk that is used to protect access to security configuration information).| | | |x |x |x | |V7.4 |Verify that password hashes are salted when they are created.| | | |x |x |x | |V7.5 |Verify that cryptographic module failures are logged.| | | |x |x |x | |V7.6 |Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module's approved random number generator when these random values are intended to be unguessable by an attacker.| | | |x |x |x | |V7.7 |Verify that cryptographic modules used by the application have been validated against FIPS 140-2 or an equivalent standard. (See http://csrc.nist.gov/groups/STM/cmvp/validation.html).| | | | |x |x | |V7.8 |Verify that cryptographic modules operate in their approved mode according to their published security policies (See http://csrc.nist.gov/groups/STM/cmvp/validation.html).| | | | |x |x | |V7.9 |Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, expired). Verify that this policy is properly enforced.| | | | |x |x | |V7.10 |Verify that all code supporting or using a cryptographic module is not affected by any malicious code.| | | | | |x |